b7b07d7009461e13af39176887afdb91164ad12f08011b1a2f42262ca4e0f423

Resubmissions

22/09/2022, 16:00

220922-tfvyqaffcp 8

22/09/2022, 15:50

220922-s98w1abgh7 8

Analysis

max time kernel
221s
max time network
341s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2022, 16:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

242663212250159.exe
Size

308.4MB
MD5

3a6cd8b709c0ef1e1821bfc3539220cf
SHA1

15c10961770f318ac36ae0b8e448045536d97240
SHA256

b7b07d7009461e13af39176887afdb91164ad12f08011b1a2f42262ca4e0f423
SHA512

202f7184ba39041d4e26191c940b9c15d89abb192a51fb4585521aa1fa754b8484b50b9e79c866d70b534576c74feed4b581ae4a212a7b6ecfb4be79d4d6b668
SSDEEP

98304:XjCfbznDbWRrJn/0JFy5LCPG/KNdmURLN8k6q47YXYhVrQnJRUCWMW:rufylCPG/eRLN8k6q47YXYhV0JR+MW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3352	UpdatingExcelzpVxVmK.exe
576	UpdatingExcelzpVxVmK.exe
4592	UpdatingExcelzpVxVmK.exe
2244	UpdatingExcelzpVxVmK.exe
4648	UpdatingExcelzpVxVmK.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	242663212250159.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	UpdatingExcelzpVxVmK.exe
File opened (read-only)	\??\D:	UpdatingExcelzpVxVmK.exe
File opened (read-only)	\??\D:	UpdatingExcelzpVxVmK.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	ipinfo.io

Maps connected drives based on registry 3 TTPs 9 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	UpdatingExcelzpVxVmK.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	UpdatingExcelzpVxVmK.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	UpdatingExcelzpVxVmK.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	UpdatingExcelzpVxVmK.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	UpdatingExcelzpVxVmK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	UpdatingExcelzpVxVmK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	UpdatingExcelzpVxVmK.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	UpdatingExcelzpVxVmK.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	UpdatingExcelzpVxVmK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe
2572	242663212250159.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3352	2572	242663212250159.exe	101
PID 2572 wrote to memory of 3352	2572	242663212250159.exe	101
PID 2572 wrote to memory of 3352	2572	242663212250159.exe	101
PID 2572 wrote to memory of 576	2572	242663212250159.exe	102
PID 2572 wrote to memory of 576	2572	242663212250159.exe	102
PID 2572 wrote to memory of 576	2572	242663212250159.exe	102
PID 2572 wrote to memory of 4592	2572	242663212250159.exe	103
PID 2572 wrote to memory of 4592	2572	242663212250159.exe	103
PID 2572 wrote to memory of 4592	2572	242663212250159.exe	103
PID 2572 wrote to memory of 2244	2572	242663212250159.exe	104
PID 2572 wrote to memory of 2244	2572	242663212250159.exe	104
PID 2572 wrote to memory of 2244	2572	242663212250159.exe	104
PID 2572 wrote to memory of 4648	2572	242663212250159.exe	105
PID 2572 wrote to memory of 4648	2572	242663212250159.exe	105
PID 2572 wrote to memory of 4648	2572	242663212250159.exe	105
PID 2572 wrote to memory of 5052	2572	242663212250159.exe	106
PID 2572 wrote to memory of 5052	2572	242663212250159.exe	106
PID 2572 wrote to memory of 5052	2572	242663212250159.exe	106

C:\Users\Admin\AppData\Local\Temp\242663212250159.exe
"C:\Users\Admin\AppData\Local\Temp\242663212250159.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  PID:3352
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  PID:576
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  PID:4592
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  PID:5052
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  PID:4620
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  PID:3644
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  PID:768
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  PID:2460
- C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe
  "C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe"
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
194.1MB

MD5
48bc1f7f8f834e33718061c08b405369

SHA1
c8a45d0765864f7650394de8c7a9c0d142414954

SHA256
37d5be976ac226eb4dc3d6a931a1dc6bebc9ca0f89cc96ba0ed2febf1a99af99

SHA512
6e54f133395b00abc9a896108cca02dec779302c3c7c648dc45000b2d4a6aa6e1a4d35fe55a7723fc5c16f695599eab074b1031c6d887814dfcc95125e1a21b5

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
190.8MB

MD5
9e89b3cbab646a9f0fb15a16f77f6778

SHA1
5555b64d5da4ae8dcf81fe9ca4e74f5ad81ffb44

SHA256
8bc92b63f63710392b43e3bba359200b8d13102d331922e62f9c6484c6f8fbff

SHA512
995e03a47be05f700d6b1bbb2d2faa164ed22b7e6160aa22b4f721dcab97cc8125aa0f2730e054c2b9e4c9094cca684f1efd8cd78fe3425eab2868b2f858e62f

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
193.5MB

MD5
cf8c9cfa83e38cbadf141143c705775b

SHA1
75b73fb4efb2c1edd09e4334f0b08b94f71ab7e7

SHA256
e9f1a32707211acb4ab39ed72e9dd38770dde0689829af5c98204b7e6ac40383

SHA512
3d8d7aac040b44e74b631b455a5d3392818b37c837c715c4c624a79c3dc86fd71d2e495946e90dfde24386674a0f7d050aa44acfe2a6ed7e3dabc8a3584154ec

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
184.8MB

MD5
f319561f6712929456f2df3404f06715

SHA1
b951900017969b66070a38223a801939e1934f9e

SHA256
108ff4837334959539d8e300b5bb25dd99dd6565399a9ec554e552f09b40de2f

SHA512
7d6758b616e7c5d6f6e750e6cdaf2c658cd55cf4417051dd581f7b9fff5c62da9f832864f9b70ed45d33289ace6787454832c5da756b4dd88bcfff789fc92311

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
184.1MB

MD5
7f75b9946f7ac19df71b5d80838d6c55

SHA1
4184e61c8f13dd03373f51c90f4fd9fde1e8f84f

SHA256
bd7e0116bdffc398a4f0382d6047a35365423b27873eb8881853ee956f19afa4

SHA512
90bacebc8c96514aa6d5bf488178bede7a1a01a5841c5d45c7a587eea87e1d58bad6bef5a7dab49f0ee3351e9782ec3a53ad650a172df47f24fe91bba551d4b6

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
115.9MB

MD5
3ea9b9d5d8410529c167edc44eb3ab3c

SHA1
2c9c0ee9a92b2b2252eacaebcfc91d439d528828

SHA256
5b742e139d6a6b71ea8e47d92dc49057d57610921bff8889710b9b1a24703ecc

SHA512
10d333bd6d50e2ef48a67309a1f1bae884d350c681edec6c570cb3410a982c9811751cd601a55016f20e496306ece107574f580fa71cb3a41be2e848fc134a0a

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
115.6MB

MD5
f570e8ea8b0de0ae3e2ca0cda419bce1

SHA1
123f1dbb10ca59fd2e9cf29fd46c64e9b46f0214

SHA256
9825008afaf7fac82f1ddd62a8386a6699f5f08c7fc51f5f1d630553cb81d062

SHA512
b6b793394d28111434f5485c9d04201607d0765e1c1d87e5db0892f8fc417c2af2dd37e1cc4fbbe147a563bf606b0076006ca1197effebcf6d839fdc57383032

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
115.7MB

MD5
604d5cab9788ff3161f319e8b3646a4c

SHA1
b0d64b0d19b95619069289e8c5929c4f6cef63a9

SHA256
712b6b33995a7ac2e4be936e7fb580141545a26c448d62c7c261386d17ad8d63

SHA512
446a636083fae3273995b5ee40b5d8418644b5f1f4ae977520e7a1210d08b3e06453e60823e622d07670214397ce80cac1b34bdee86f66b2eee75fb0eee823ca

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
39.4MB

MD5
4da8fb05955846a74369ff9bb879a0d3

SHA1
811aba6fdee8dcbfadfd684c88dd88bbdd4c983c

SHA256
d25fc2e06bef728fb8c767cd60f4b3603b9af098c88f83348726fdbaca231a98

SHA512
f4402f0a31224f9491ec8e935aade1d52debc766fa7040f5476e2e464e7b940e1726faeab57cf32a2f1dac9cb005944b77276a5ff951f014abab4a8a8dca7310

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
35.8MB

MD5
f33ad631a8d6662a736590b6530246ea

SHA1
6eb683df07b16289633a368fedbf0e7e4e4281ec

SHA256
6ceed097d9d0943f0d12de0478bf1bb6ac94d8d5581e33bbbea5f141634b1e18

SHA512
9b1244ac354c1fb6e7c630db84d01d124955ba469e429a788d2640f2e3fa8c690058e002eeccdb3a188ddc049444b521ee53ad2cca503223fb8759237373c4d8

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
35.4MB

MD5
75ea7e17d50ad9380461aa9110933f9b

SHA1
33af1e550e8bce269b2037530189dbdd61fe73c0

SHA256
f44b9730537fd86b84a97660b4a3b322572e1d990c53abbd7717737932f64097

SHA512
97a9132bec177beec402d9771f4de3c3030fb39addd8590fa2caa3f2c09e758b7c97fbd407b8769532eb5f113a3c796acba52dd1236b950485a8312e6dea73bf

Download Submit
C:\ProgramData\UpdatingExceluKyVdjt\UpdatingExcelzpVxVmK.exe

Filesize
35.4MB

MD5
c721ffb137c3c58774b9b23eaf324c7d

SHA1
512f519ecefcde4727d5c4f78359852a15339ef2

SHA256
cc64467616f3d25ea0ed4ed6461ee94bb42e6fd1880f3824a3f353c518b9ca2e

SHA512
225307ae35e0d34999b77a16c7655779274a0a211bfc5cffd5794065ca540563a3bb9ce66fe803a58b58c8bbeca7b96eb408c27c5e58bf797b8b6da08ecc7b60

Download Submit